Space invaders

Page Tools

They're out there, watching, waiting, using software known as
spyware. They can enter your computer and retrieve your credit card
details and bank passwords in a matter of minutes - without you
even being aware of the intrusion.

According to a US survey last October, 80 per cent of home
computers carry some form of spyware.

Spyware is a hot issue on the global IT agenda with governments,
industry and consumer groups all grappling to respond to growing
public concern.

So how safe is your computer?

Simon Clausen, chief executive of Melbourne-based PC Tools, one
of many companies that sell anti-spyware software, says his company
sees 30 to 40 new variants of spyware each week.

"The threat of spyware is gathering momentum," he says.

The majority of spyware is aimed at feeding relatively innocuous
information about your web browsing habits back to marketing
companies, but there is growing evidence that criminals are turning
to spyware to fleece unsuspecting internet users.

The most serious spyware intrusions involve net users
downloading keylogger software that records a person's key strokes,
including information such as passwords to bank websites, and then
sending them to a malicious third party.

A recent Australian computer crime and security survey published
by AusCERT (Australia's national computer emergency response team)
found that the "scale and sophistication" of trojan malware -
malicious software that is secretly installed on a computer - was
increasing and now accounted for about 20 per cent of the 700
incidents of online identity theft reported in Australia in the
year to April 2005.

The Federal Government last year looked at how our laws were
dealing with spyware and found that existing legislation was
adequate to stop breaches of privacy and security involving
spyware.

In May the Government released a discussion paper asking for
suggestions on how government and industry might respond to the
emerging threat of spyware. So far about 150 submissions have been
received.

One of the first topics raised is that of definitions.

Roger Clarke, a visiting professor at the Australian National
University and board member of the Australian Privacy Foundation,
believes a key issue when defining spyware is that of consent.

Dr Clarke believes any approach to counter spyware - whether
based on legislation or technology - needs to allow for legitimate
uses such as collecting information from a computer and sending it
to a third party.

Such uses could include software that regularly checks your
computer to see if a new version of a program is available or
cookies (small files placed on your computer when you visit a
webpage to help your browser recall details such as content
previously visited) or tools such as shopping carts.

Most people would say that any spyware used to retrieve
information such as credit card details or banking passwords is
malicious, but what about spyware that simply gathers information
to show web browsing trends?

Peter Philipp, chief executive officer at Melbourne-based IT
managed services company TechOnline, says some people are not
comfortable with this.

"That can be relatively innocuous but it's not something we
would readily give out about other parts of our private life," he
says.

PC Tools' Mr Clausen says his company's anti-spyware software -
called Spyware Doctor - does not try to stop legitimate adware
"when it's done in a consensual manner where the user is notified
of the value they're getting for the advertising".

Spyware is not just about people trying to make money -
criminally or otherwise. It also begs the question of to what
extent governments are using the web to garner information on
people - particularly after September 11.

Recall the outcry in 2000 over the FBI's custom-built internet
surveillance technology, Carnivore, designed to read emails and
other online communications? In January it was reported that
Carnivore had been abandoned in favour of commercial
alternatives.

And then there's Echelon, a global communication interception
network involving the US, Britain, Canada, Australia and New
Zealand aimed at eavesdropping on radio and satellite
communications, phone calls, emails and faxes.

In Australia sources say that while it is difficult to gather
evidence of them doing so, some Federal Government agencies
probably have the authority to use spyware to collect information
about people if needed.

"Particularly in the current climate, there appears to be
authority for some agencies in Australia to, in effect, put spyware
on people's computers," Dr Clarke says. "I find it quite chilling
that we would give our agencies that kind of power."

So what to do?

Anti-spyware tools are also improving. Along with having the
ability to scan computers for spyware, they can now also block
spyware from being downloaded in the first place while still
allowing for interaction between your computer and the web.

It's a case of buyer beware, though: TechOnline's Mr Philipp
says there are software programs that masquerade as anti-spyware
programs that are themselves spyware.

Most experts seem to favour a multi-pronged approach that
includes some legislation but ups the ante on education.

But Dale Clapperton, a director of privacy watchdog group
Electronic Frontiers Australia, says legislation is not the answer.
He draws a parallel between spyware and spam.

"The biggest problem is that the vast majority of spyware comes
from overseas," he says. "A lot of it is originated by very shady
organisations who go to a great deal of trouble to make themselves
untraceable, and in a situation like that there are limits on how
far legislation will go."

Dr Clarke believes people need to be sceptical about downloading
software from the web or installing it from a CD.

"You've got to pause and think - what it is that gives me
confidence that that piece of software I'm about to download and
run is a sensible thing to be running on my machine?" he says.

Dr Clarke says people also need to recognise that because of the
risk spyware poses, the need for a speedy system of backup and
recovery is paramount.

"The more dependent on it we are, the more we've got to take
responsibility ourselves and not just say 'the government or
Microsoft or whoever our supplier is should have done this for
us'," he says.

"We've got to take that responsibility ourselves."

Hack attack

In mid-2003, a Melbourne solicitor received an email with a link
to a website purporting to be from his bank. He clicked on the
link, but decided it wasn't legitimate and thought no more of it.
Unbeknown to him software had been installed on his computer.
Designed to monitor his internet activity, it triggered a
key-logger to capture the keystrokes as he entered his bank account
number and password. The hacker withdrew the daily limit of
$14,990. The bank later reimbursed the solicitor. -
TechOnline

Call for help

Soon after a Melbourne family started using their new computer -
and despite having installed anti-virus software - unwanted pop-up
screens began limiting the computer's speed. The computer's hard
drive was reformatted, but the problem worsened. The computer
eventually simply seized every time it was switched on. The owner
turned to an IT company for help, which deleted about 3000 pieces
of spyware. The family now uses the company's complete anti-spyware
suite, including two anti-spyware programs and a desktop spam
filter, anti-virus software and on-going maintenance and
scanning.

Playing safe

Make sure any computer connected to the internet has a firewall
installed and virus-scanning and anti-spam software.